Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

7.
v
Cisco VMDC Cloud Security 1.0
Design Guide
Preface
Rapid technological changes and evolving business requirements continually challenge organizations to
protect their assets. While constant change in the business landscape drives the adoption of new
technologies in IT networks, organizations find it increasingly difficult to address new and more
sophisticated attacks that threaten corporate assets and disrupt business operations.
Localized security policies and devices at network perimeters can no longer safeguard corporate assets
nor ensure operational continuity. Today, secure corporate networks require multiple layers of protection
and implementation of a unified, system-wide, security strategy. The current Internet security landscape
emphasizes the need for end-to-end security architectures, along with design and implementation
guidelines for building secure and resilient network infrastructures.
In particular, data centers need secure infrastructures. In any organization, a typical data center houses
the most critical and valuable assets. This guide describes an architectural data center security
framework, based on Cisco's Virtual Multiservice Data Center (VMDC) 2.3 architecture, specifically
designed to work with the rest of organizations' network security infrastructures.
This guide is written for network and security engineers to help them to design, implement, and operate
secure network infrastructures that address today's challenging business environments.
Cisco VMDC Cloud Security Release 1.0 is a reference architecture providing design and
implementation guidance for cloud deployments. Numerous service providers and enterprises have
implemented multiple VMDC versions in private, public, and hybrid cloud deployments. VMDC Cloud
Security 1.0 provides an end-to-end validated system that integrates a variety of Cisco and third-party
products. Figure 1 shows the VMDC layers and major components.

9.
C H A P T E R
1-1
Cisco VMDC Cloud Security 1.0
Design Guide
1
Introduction
As service providers increasingly provide cloud-based services to enterprises and small businesses in
virtual and multi-tenant environments, their security strategies must continually evolve to detect and
mitigate emerging threats. In the VMDC reference architecture, physical and virtual infrastructure
components such as networks (routers and switches), network-based services (firewalls and load
balancers) - and computing and storage resources are shared among multiple tenants, creating shared
multi-tenant environments.
Security is especially important in these environments because sharing physical and virtual resources
increases the risk of tenants negatively impacting other tenants. Cloud deployment models must include
critical regulatory compliance such as Federal Information Security Management Act (FISMA), Health
Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security
Standard (PCI DSS).
The VMDC Cloud Security 1.0 solution enables customers to:
• Detect, analyze, and stop advanced malware and advanced persistent threats across the attack
continuum.
• Consistently enforce policies across networks and accelerate threat detection and response.
• Access global intelligence using the right context to make informed decisions and take fast,
appropriate action.
• Comply with security requirements for regulatory requisites such as FISMA, HIPAA, and PCI.
• Support secure access controls to prevent business losses.
• Secure data center services using application and content security.
Challenges
When deploying multi-tenant cloud data centers, Service providers are challenged to provide a secure,
physical and virtual, environment for tenants. When onboarding tenants of different vertical segments
such as financial, health care, or federal the service provider faces a bigger challenge in terms of meeting
industry standards and legal compliance within their data center and services. The following sections
highlight the key challenges the service provider may have.

10.
1-2
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 1 Introduction
Solution Benefits
Multi-Tenancy and Secure Segmentation
Service Providers (SPs) can use multi-tenant data centers to efficiently and economically provide cloud
services using shared hardware and network infrastructures. For security, this approach requires
complete separation of network traffic by tenant, along with strict access control policies, because
multiple tenants share the same network infrastructure, and compute and storage resources. This is also
true for large enterprises deploying private virtual data centers and private clouds, in which internal
tenants require separation.
As SPs support multiple tenants in shared data centers, each tenant must be completely and securely
segmented to protect them from external threats. Segmentation also provides threat boundaries that can
confine threats. Data center tenants must be protected using consistent, ongoing security controls that
span the physical and virtual infrastructures.
Secure Data Center Access
In multi-tenant environments with increased mobile device access and network and application
virtualization, networks must perform increasing security enforcement in the face of new, highly
sophisticated threats. Networks must do this before granting access to applications. As networks become
more aware of context and applications, networks are taking over more user authentication and access
policy authorization and enforcement tasks from applications.
The network security infrastructure is increasingly required to enforce identity and role-based policies,
and to make other contextual decisions. The capability to block traffic to an application or server in the
data center or cloud cannot be based simply on typical host source and destination addresses. Network
and data center security must be based on the identities and roles of users, security policies, blacklisting,
and application transactions.
In multi-tenant data centers, multiple tenants remotely access their applications, which typically share
hardware and systems software with other tenants. The access can also depend on context-specific
attributes other than identity, such as the type of device accessing the application, the location of the
user, and the time of the request. Context-aware policies are increasingly the responsibility of data center
firewall and intrusion prevention systems (IPS), intelligent log monitoring and detection. These
capabilities must expand to detect and control traffic based on sophisticated policies and monitoring for
the presence of malware, unauthorized access attempts, and attacks.
Industry Standards and Regulatory Compliance
Multi-tenant/multiservice data center deployments, which provide multiple cloud services to multiple
enterprises, must ensure compliance with industry standards and regulatory requirements to support
various different vertical industries, such as health care, finance, and defense. When SPs provide
services and provision such tenants, they must comply with the industry standards and regulations, and
must provide audit trails.
Solution Benefits
The VMDC Cloud Security Release 1.0 solution integrates Cisco and third-party products to deliver
comprehensive, cohesive security frameworks for SPs and enterprises. The solution provides clear
guidance for achieving compliance with industry standards and regulatory requirements in public,

11.
1-3
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 1 Introduction
Audience
private, and hybrid cloud deployments. The solution is built on a vPC-based VMDC release that is
extensively validated for performance and scaling, and is widely deployed by enterprises and SPs
worldwide. The following significant solution benefits are derived.
End-to-End Security
The numerous aspects of data center security are deployed among several network infrastructure
elements. When deploying cloud data centers, service providers need to secure the data center
end-to-end to protect their network environment and their customers data. VMDC Cloud Security 1.0
brings together many security devices in a cohesive manner with end-to-end validation to significantly
reduce the implementation complexity enabling public cloud providers to improve time to market their
services.
Integrates Additional Security Components with VMDC
VMDC provides a seamless approach and architecture for integration with various security elements,
such as Cisco CTD, NGIPS, NGA, ACS, and Splunk. This significantly reduces implementation time
and risks.
Addresses Key Cloud Provider Challenges
VMDC Cloud Security 1.0 validates use cases that address the key challenges that cloud providers face
today, enabling them to achieve end-to-end security and data center compliance.
Provide Guidance for FISMA, HIPAA, and PCI DSS Compliance
VMDC Cloud Security 1.0 undergoes extensive third-party auditing to ensure that the security
framework is compliance-ready. This potentially enables cloud providers to achieve compliances in an
efficient and cost effective way. The solution provides detailed guidance and gap analysis to reduce the
risk of compliance failure.
Audience
This guide document is intended for, but not limited to, security architects, system architects, network
design engineers, system engineers, field consultants, Advanced Services specialists, and customers
who want to deploy end-to-end security and achieve industry-standards and regulatory compliance in
public and private cloud data center deployments.
• Readers should be familiar with the basic concepts of IP protocols, quality of service (QoS), High
Availability, security technologies and requirements, and industry-standards and regulatory
compliance acumen.
• Readers should understand general system requirements, along with enterprise and SP network and
data center architecture.

14.
1-6
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 1 Introduction
Use Cases for End-to-End Secure Cloud Deployments
Identity and Access Management
Identity and access management is one of the issues service providers face in a multi-tenant environment
where one or more tenants have access to various components of the data center. This creates a dire
security threat if there is no centralized monitoring and management of access control.
Cisco Secure Access Control Server (ACS) provides a centralized highly scalable, policy-based network
access and device access administration control platform that operates as a centralized RADIUS and
TACACS+ server. It extends access security by combining authentication, user access, and administrator
access with policy control within a centralized identity networking solution, allowing greater flexibility
and mobility, increased security, and user-productivity gains.
Next Generation Intrusion Prevention
In multi-tenant cloud deployment virtualization and cloud computing introduce new security risks and
challenges around new technologies and changing business processes. To succeed, organizations must
address threat defense in depth to protect network from external and internal threats.
The Next Generation Cisco FirePOWER IPS provides threat detection capabilities that are currently
required in multi-tenant cloud data centers deployments to mitigate new and emerging cyber threats.
Network Visibility, Monitoring, and Threat Detection
Network visibility in a multi-tenant data center with virtual environment is of primary concern for the
service providers. They have to ensure that the same controls used in the physical world that are used in
the virtual world. These controls need with the same consistent visibility and ability to see any and all
traffic in and out of the data center.
This security architecture provides network visibility to monitor and detect the threat of malware
spreading throughout a multi-tenant data center. Detecting threats and illegal activity within a network
is an essential part of any security framework and architecture.
Real-Time Operational Intelligence—Event Monitoring and Logging
Event monitoring and logging is essential in any security framework and architecture. However, in a
multi-tenant cloud data center deployments, it is difficult to identify security events in a timely manner
and re-mediate them efficiently.
In VMDC Cloud Security 1.0, Splunk a technology partner virtual appliance is used that provide ability
to monitor, search, analyze, visualize and act on the massive streams of machine data generated by the
network and security appliances. It also perform monitoring of IT systems and infrastructure in real time
to identify issues, problems and attacks before they impact your customers, services and revenue.
Site-to-Site Virtual Private Networks
Until recently, implementing site-to-site virtual private networks (VPNs) required additional hardware,
such as an Aggregation Services Router (ASR) 1000 Series router, which increases OPEX and CAPEX.
Now, Cisco Adaptive Security Appliance (ASA) products can implement site-to-site VPN inside ASA
firewalls.

18.
2-2
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 2 Cloud Security Solution Overview
Security Architectural Principles
Secure Separation
Secure separation describes the partitioning that prevents one tenant from having access to other tenants’
environments and administrative features of the cloud infrastructure.
Isolation
Isolation provides a secure foundation for multi-tenant data centers and server farms. Depending on the
design goals, isolation can be achieved using firewalls; access control lists (ACLs); virtual LANs
(VLANs), Virtual Routing and Forwarding tables (VRFs), virtualization, storage networks, and physical
separation. In addition, Intrusion Prevention appliances that can inspect traffic and detect security events
on a per-VLAN basis can provide an additional level of threat isolation between different tenants. When
combined, these can provide appropriate levels of security enforcement to server applications and
services for multiple tenants.
Policy Enforcement and Access Control
Role Based access and authentication is an essential part of a comprehensive security framework.
Obviously access to network devices and appliances needs to be regulated. If the infrastructure device
access is compromised, the security and management of the entire network is at risk. Consequently, it is
critical to establish the appropriate security measures and controls in order to prevent unauthorized
access to infrastructure devices. Creating common policies and authentication measures across the
environment is imperative in minimizing operational complexities and maximizing security. This
solution provides policy enforcement and access control methods in a unified approach across all layers
of the solution in order to address both complexity and security concerns.
Visibility
Data centers are becoming pliable in scaling to accommodate new virtual machines (VMs) and services.
Server virtualization technologies, such as vMotion, enable servers to be deployed in and moved
between multiple physical locations with minimal manual intervention. As VMs move and traffic
patterns change, security administrators face challenges when attempting to actively monitor threats in
the infrastructure. This architecture leverages threat detection and mitigation capabilities with
state-of-the-art IPS appliances and cyber-threat-detection applications. This architect dynamically
analyzes and correlates alarm, data, and event information to identify threats, visualize the attack paths,
and also provide possible enforcement response options.
Resiliency
Resiliency implies that endpoints, infrastructure, and applications in multi-tenant environments are
protected and can withstand attacks that would otherwise cause service disruptions, data exposure and
unauthorized access. Proper infrastructure hardening, application redundancy, and firewalls are some of
the approaches needed to achieve the desired resiliency.

21.
2-5
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 2 Cloud Security Solution Overview
Secure Data Centers for Public and Private Cloud Providers
• Compliance, page 2-7
Physical Data Center Security
This includes having secure physical locations and controlled physical access to buildings and data
center and network devices. Data centers must have badged or biometrically controlled access for data
center administrators and maintenance personnel only. Physical data center security also applies to
power management and heating/cooling equipment.
Note Physical data center security outside the scope of this guide.
Network Infrastructure Security
To secure the network infrastructure, SPs must protect and secure the physical and virtual infrastructure.
For VMDC Cloud Security 1.0, the infrastructure is made up of the following elements:
• Data center border routers
• Data center edge/aggregation switches
• Access switches
• Load balancers
• Firewalls
• FirePOWER Next Generation Intrusion Prevention System (NGIPS)
• Compute, including Fabric Interconnect and Cisco Unified Computing System (UCS) chassis
• Storage area network (SAN) storage
• Cisco Nexus 1000V virtual switch
• Management components
• Cisco Virtual Security Gateway (VSG)
To provide network security, each element must be deployed redundantly so that the data center can
sustain an element failure in any layer. For example, failure of an edge switch, load balancer, or IPS
should not result in a system failure. We also recommend multiple paths among the infrastructure
elements to protect data center integrity in case of a link failure in any layer.
Content Security
The Cisco Hosted Security Solution (HSS) validated design includes email and web security virtual
appliances, ESAv and WSAv, to provide content security services. The HSS solution will reside in the
service provider data center, and can be managed directly by the service provider, Cisco Smart Ops team,
or a third party managed service provider.
For further details, refer to the HSS Design Guide.

22.
2-6
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 2 Cloud Security Solution Overview
Secure Data Centers for Public and Private Cloud Providers
Data Security
To protect a cloud data center in which multiple tenants use the same infrastructure, data paths must be
secured so that intrusions and malware are detected and blocked. At a minimum, data must be secured
using encryption, both while data is in transit and data at rest.
The data path can be north-south (server to client) and east-west (between VMs). For example, consider
a tenant in which departments must be separated so that the departments cannot access applications in
other departments. This can be achieved using multiple security elements, such as physical firewalls,
NGIPS, and VSG that provide access control in the virtual environment.
Operating System Security and Hardening
We recommend updating the network infrastructure, virtual and physical systems, and applications to
the most recent validated releases to ensure that no known security vulnerabilities are present. Install
antivirus software and all operating patches and keep them current.
Secure Access Control
In multi-tenant data centers, cloud administrator can potentially access the entire infrastructure, and may
have remote access, along with local access, to manage it. Because the infrastructure is the heart of the
data center, all communication among devices in the data center must be encrypted; no unencrypted
connections to any device should be allowed. For example, accessing a device over a Web interface must
use HTTPS using Secure Socket Layer (SSL) 2.0 and higher). HTTP must not be enabled for web portal
access.
To reduce security risks when accessing the data center, we recommend implementing RBAC to control
access so that administrators have access only to systems for which they have administrative
responsibilities.
For example, cloud administrators are typically responsible for the data center infrastructure and may
not need access to the individual tenants and applications. Similarly, database and other services and
application administrators should not have access to the data center virtual and physical infrastructure,
but need access to certain portals. If an SP gives access to a tenant administrator to perform tasks in the
SP virtual environment, the access must be read only or otherwise restricted to reduce security breach
risks.
Network Visibility and Operation Intelligence and Monitoring
In environments for SPs and large enterprises having SP-type deployments, in which multiple tenants
access the same physical and virtual data center infrastructure for services, complete network visibility
is required. Centralized logging and event monitoring potentially helps in operations and maintenance.
CTD and the third-party logging and monitoring appliance Splunk can provide the required visibility.
Centralized logging, monitoring large amounts of data, and recording transaction history is required for
regulatory compliance for FISMA, HIPAA, and PCI DSS.

25.
C H A P T E R
3-1
Cisco VMDC Cloud Security 1.0
Design Guide
3
Cloud Security Design Details
Data security breaches, intrusions, and malware attacks occur many times every day and can be active
for long periods without system owners even detect the breaches. Often, detection occurs after the
damage is done, and can require huge efforts to mitigate. Successful attacks can hurt reputations, cost
lots of money, and erode customer trust.
Most of the time malware takes at least a week or two to detect and identify. Due to this length of
duration it is extremely difficult and sometimes impossible to identify infected devices on the network.
It is critical to identify malware infection as quickly as possible so that appropriate action can be taken
to quarantine an infection, stop it from spreading, and clean infected systems.
When SPs and enterprises deploy cloud data centers, they must determine security requirements based
on the type of deployment and the services being provided. Different vertical industries require different
levels of data center and network security when deployed in the cloud.
To address these issues, the VMDC Cloud Security 1.0 solution focuses on guidance and gap analysis to
mitigate cyber threats and security risks and enable cloud providers to achieve industry standard
compliances efficiently and cost effectively reducing huge operation cost.
To deploy this architecture and support various vertical industries such as, health care, finance, and
federal government, the VMDC Cloud Security 1.0 solution integrates additional critical security
components with the VMDC 2.3 reference architecture to provide better, more efficient security and
compliance.
When cloud services are provided in multi-tenant environments in which multiple tenants share the same
network infrastructure and compute and storage resources, the separation, segmentation, and security of
each tenant is extremely important.
Secure separation, or multi-tenancy, separates workloads and virtual machines (VMs) to meet tenant
(customer) separation, security, compliance, and service-level agreement (SLA) requirements while
sharing a compute, storage and networking infrastructure. Today’s consolidated data centers and clouds
have disparate user groups with needs that range from simple segmentation to complete separation of
network traffic and strict access control policies, even though they share the same physical servers and
networks.
Data centers based on Virtualized Multiservice Data Center (VMDC) reference architecture consist of
network, storage, and compute resources. Such data centers are typically interconnected and provide
access to WANs, IP and Next Generation Networks (NGN), and the public Internet. VMDC-based data
centers support multi-tenancy and multi-services, and provide management elements for administrative
functions, orchestration (cloud portals, service catalog, and workflow automation), and assurance.

31.
3-7
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
VMDC Cloud Security Reference Architecture
NGIPS, deployed in transparent bridge mode, inspects traffic based on VLAN tags per tenant. When
traffic reaches the inline NGIPS, NGIPS inspects traffic based on the tenant VLAN configuration and
applies access policies and other deep inspection policies.
VMDC Cloud Security 1.0 Tenant Containers
The VMDC 2.3 reference architecture supports multiple network containers, which are also called
consumer models. The consumer models are described in greater detail in VMDC 2.3 documentation.
This section describes the consumer models validated for VMDC Cloud Security 1.0. VMDC Cloud
Security 1.0 supports the previously defined VMDC 2.3 consumer models, the same concepts of security
features can be applied to other VMDC architectures. However, VMDC Cloud Security 1.0 validation
focuses on Gold and Copper containers, which cover most VMDC 2.3 public and private cloud
deployments.
Depending on VMDC container type, traffic may or may not go through security devices, based on
subscribed services. However, because SPs must protect their data centers, traffic entering and leaving
a multiservice data center must be monitored and inspected, and complete data center visibility is
required. Hence, the VMDC 2.3 Gold and Copper network containers (which contain the ASA based
perimeter FW service) are relevant for inserting NGIPS services as part of this VMDC Cloud Security
1.0 solution validation. It is also to be noted that while the security concepts in this solution are overlaid
on the VMDC 2.3 architecture and container models, the same concepts can also be applied to other
VMDC architectures like VMDC 3.0 etc.
To monitor all traffic, even traffic that does not go through a firewall and other security devices, we
recommend using NetFlow to capture traffic from various locations in the data center, and using Syslog
from all key network and security elements, including but not limited to aggregation, access, and virtual
switches, along with firewalls, to provide complete data center visibility.
VMDC Cloud Security 1.0 Gold Container
A Gold container, with perimeter firewall, VSG, NGIPS, and server load balancer services, provides a
higher degree of security and availability because each gold tenant is assigned a separate context or
virtual firewall instance. Traffic for this container goes through NGIPS inspection, providing a higher
degree of security for the tenant.
As shown in Figure 3-7, an NGIPS is physically in line between the ASA firewall and the Nexus 7004
switch. The traffic for the gold tenant received on the tenant outside VRF is first sent through the ASA
firewall context, which applies the necessary access control policies and sends out the traffic on the gold
tenant VLAN. Traffic on the inside VLAN goes through NGIPS, which applies the necessary inspection
policies and passes the traffic to the Nexus 7004 aggregation switch, into the gold tenant inside
(protected) VRF.

39.
3-15
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
VMDC Cloud Security Design Considerations
Access Control
In the VMDC Cloud Security 1.0 reference architecture, a pair of ASA 5585 access control firewalls is
used to minimize the impact of unwanted network access to the data center. Figure 3-14 illustrates this
access control.
Figure 3-14 Access Control Using the ASA 5585 Firewall
The ASA 5585 firewall pair is used in active/active mode and is configured in multi-context routing
mode. The secure inside network must be in a separate subnet from client subnets and the outside
network. In multi-context mode, virtual contexts are configured on the ASA firewall pair, dividing each
into multiple logical firewalls. Each logical firewall can support different interfaces and policies.
On each of the ASA 5585 firewall pair, half of the tenant contexts are active and half of the tenant
contexts are inactive. This protects all tenants; in the event that one of the ASA 5585 firewall pair fails,
the remaining firewall successfully supports all tenants, as shown in Figure 3-15.
Figure 3-15 ASA 5585 Pair in Active/Active Mode
The ASA 5585 firewall pair create the dual-home to the data center aggregation nodes using two
10-Gigabit Ethernet (10 GbE) links for resiliency. The two links on each firewall are configured as an
EtherChannel to provide both load balancing and responsive failure recovery. The vPC feature on the
Cisco Nexus 7000 data center aggregation switches enables the firewall EtherChannel to span the two
data center aggregation switches while appearing to be connected to one upstream switch. This
EtherChannel link is configured as a VLAN Trunk to support access to multiple secure VLANS in the
data center.
Site to Site VPN
In VMDC Cloud Security 1.0, data center ASA may be used for site-to-site VPN which potentially
eliminates the need for another physical VPN concentrator. For further details, refer to the link below:
http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/11
2153-ccp-vpn-asa-router-config-00.html
297540
Internet
WAN Cloud
DataCenterResources
297541
ASA Firewall 1
Active Tenant 1 – 50
Standby Tenant 51 – 100
Cisco Nexus 7000
Aggregation 1
ASA Firewall 2
Active Tenant 1 – 50
Standby Tenant 51 – 100
Cisco Nexus 7000
Aggregation 2
PC PC
vPC

40.
3-16
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
VMDC Cloud Security Design Considerations
Secure Remote Access VPN
A pair of ASA in active/standby is required to provide secure remote access VPN (RA-VPN) services
from the service provider cloud. For further details, refer to the link below:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/2-3/design_guide/VM
DC_2-3_DG.pdf
NGIPS Integration
In VMDC Cloud Security 1.0, FirePOWER Next Generation Intrusion Prevention System (NGIPS)
performs line-rate deep traffic inspection.
To secure data center deployments, SPs require complete visibility into their entire networks, for users,
infrastructure, devices, services, and resources. To prevent all threats, SPs must cover the full attack
continuum that occurs before, during, and after attacks. Following these steps prevents the occurrence
of the same threat.
Figure 3-16 shows the steps and elements help achieve strong, effective defense against the
threat-centric attack continuum.
Figure 3-16 Threat-Centric Attack Continuum
As shown in the above diagram, with all the mobility and virtualization, there are now many different
attack vectors such as Mobile users, Virtual desktops etc. This increases the chances of threat and
security concerns.
In VMDC Cloud Security Release 1.0, the ASA firewall is used for access control. This protects the data
center from outsiders and limits the access based on the policies defined for trusted users and
applications. This allows only trusted users/tenants into the data center, but if the trusted users send
malicious traffic, the firewall cannot detect it.
To protect the data center during the normal operation, line rate non-blocking inspection is a necessity.
The Cisco FirePOWER next generation IPS provides the capability to inspect all the traffic in and out
of the cloud data center at a line rate. The next generation IPS provides malware protection and intrusion
prevention by stopping the exploits, hackers, attacks. It also provides application control and URL
filtering which can be implemented on a per tenant basis. During the normal operation, Cisco Cyber
threat defense provides in-depth visibility by collecting Netflow and NSEL streams of data. This can
help cloud providers to actively monitor any threat.
Before
See it, Control it
After
Retrospective Security
During
Intelligent and
Context Aware
Discover Environment
Implement Access Policy
Harden Network and Asset
Achieve Compliance
Determine Scope
Contain
Remediate
Detect
Block
Prevent
Endpoint Mobile Virtual CloudNetwork
Firewall
Tenant Segmentation
Security Zoning
Vulnerability Management
Patch Management
Intrusion Detection
SIEM and Log Management
Forensics
Full Packet Capture
Intrusion Prevention
Cyber Threat Defense
Anti Virus
Anti Malware
Threat Centric Attack Continuum
Events
Actions
Process
Attack
Vectors
297542

41.
3-17
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
VMDC Cloud Security Design Considerations
In case of data security breach, cloud providers need tools that isolate the incident without compromising
the entire the data center. So that the tenant can trace the breach to its source, the provider can use
multiple security techniques, such as, proper separation of tenants, Intrusion detection, and log
monitoring. The log monitoring also helps later in terms of investigation and forensic activity.
Integrating FirePOWER NGIPS into the VMDC Cloud Security 1.0 reference architecture provides
point-in-time detection of any malware or threat, leveraging big data analytics and a continuous analysis
capability to confirm an infection, trace its path, analyze its behavior, re-mediate its target, and report
its impact regardless of when a file is determined to be malware.
NGIPS enables SPs to look deeply into a device and provides the following information:
1. How did the threat get onto the device?
2. How serious is the threat?
3. What communications were made from the infected device?
4. What is the chain of events?
This information enables SPs to take timely, appropriate action to avoid downtime and provide the most
secure environment to their tenants.
Policy and control using firewalls and other techniques reduce only the surface area of an attack. In
theory this approach makes sense, but in practice this approach fails when trusted persons or devices
initiate attacks. No matter how large or small a security gap is, the bad people will find it and try to
exploit it. It is no longer safe to assume that what is permitted in a network or data center is good. Having
a high speed inspection engine that can inspect all content traveling in and out of a data center to detect,
understand and stop threats is the recommended way to ensure that identified threats can no longer enter
the data center.
Figure 3-17 shows that even after deploying firewalls, infected traffic may get through it. Hence,
high-speed inspection is required to block, mitigate, or quarantine such infections.
Figure 3-17 Threat Penetrations despite Firewalls and control policies
FirePOWER NGIPS combines the security of an industry-leading IPS with the power to control network
access based on detected applications, users, and URLs.
In VMDC Cloud Security 1.0, NGIPS is deployed inline and can:
• Gather detailed information about hosts, operating systems, applications, users, files, networks, and
vulnerabilities.
• Block or permit network traffic based on various network-based criteria, along with other criteria
including applications, users, URLs, IP address reputations, and the results of intrusion or malware
inspections.
• Be deployed in fail-safe or fail-open mode, depending on the deployment requirement.
297543
Internet
High Speed
Inspection
OS: Windows 7
hostname: laptop1
User: jsmith
IP: 12.134.56.78
WAN Cloud
DataCenterResources
12.122.13.62
123.45.67.89

42.
3-18
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
VMDC Cloud Security Design Considerations
Intrusion detection and prevention enables SPs to monitor data center network traffic for security
violations and, in inline IPS deployments, enable them to block or alter malicious traffic. Intrusion
prevention is integrated into access control, in which SPs can associate intrusion policies with specific
access control rules. If network traffic meets the conditions in a rule, NGIPS can analyze matching
traffic using an intrusion policy.
NGIPS can be deployed in fail closed or fail open modes. This feature enables service provider to decide
what action need to be taken during the failure of an IPS appliance.
Table 3-1 shows the availability of the failure modes for the hardware models:
NGIPS Fail Close Mode
As shown in Figure 3-18 fail close mode is supported on all NGIPS models. In fail close mode, NGIPS
shuts down traffic through the appliance, so packets cannot pass through NGIPS sensor on any NGIPS
interfaces.
Figure 3-18 Fail close Mode
The VMDC Cloud Security 1.0 solution supports fully redundant HA design for all links and network
components. We recommend deploying NGIPS in a fail-safe mode so that a single appliance failure
routes traffic to the secondary path and minimizes the downtime of any services running in the data
center. When deploying NGIPS in a fail close mode, all inspection flows dropped from the failed NGIPS
are picked up by the secondary NGIPS in the middle. The secondary NGIPS starts building the flows as
more packets pass through.
Table 3-1 Failure Mode Availability Based on Hardware and SFP Modules
IPS 8xxx Series with SFP Modules IPS 7xxx Series with Fixed Port
IPS 7xxx Series with Fixed and
SPF Module
Fail Close Only SFP Modules Fail Open and Fail Close Fail Open and Fail close on
Fixed and Fail Close on SFP
Module
Fail Open and fail Close SFP
Modules
297559
ENT-1
ASA Firewall
Context per Tenant
• IPS is Down
• IPS in Fail Open Mode
• No Traffic will Flow Through
NextGen IPS
Outside Tenant
VLAN
Global VRF
Towards
MPLS
Cloud
Inside Tenant
VLAN
Inside Tenant
VLAN
Cisco Nexus 7000
Aggregation
Cisco Nexus 7000
Aggregation
Towards
Tenant
Server
Protected VRF

43.
3-19
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
VMDC Cloud Security Design Considerations
Note To ensure no packet loss from inspection even if NGIPS picks up flows in the middle, or to deal with the
asymmetrical traffic flows, the STRICT TCP enforcement box must not be checked at the IPS interface
level during the initial configuration.
Note It is not recommended to deploy single NGIPS in a fail close mode. If a single NGIPS deployed in the
data center inline between the aggregation and access layers, in case of NGIPS failure, all the services
go down and no traffic or data can pass through the NGIPS appliance.
NGIPS Fail Open Mode
NGIPS fail open mode is available depending on hardware platform and interface module type used in
the physical appliance. When NGIPS is configured in fail-open mode and there is a failure of either the
appliance or ingress or egress links, the NGIPS appliance closes a mechanical relay in the appliance,
enabling packets to flow through it. In this case, there is no data inspection or monitoring. Instead, traffic
flows transparently without interruption of active services.
Figure 3-19 shows the flow of traffic during fail open mode.
Figure 3-19 Fail Open ModeTraffic Flow
When a failure occurs and NGIPS goes into fail open mode, some security gaps occur for the duration
of the failure. During this time, any malware or intrusions that penetrate the data center using this route
are not captured and impose a risk even after NGIPS recovers from the failure.
Note Recommendation is to configure redundant NGIPS in fail close (fail closed) mode. If a failure occurs on
any side of a network or security component, this enables traffic to move to the second NGIPS.
SPs typically deploy VMDC in multi-tenant environments using overlapping IP addresses. This enables
faster tenant deployment and minimizes operation costs for IP management and maintenance.
In VMDC deployments, overlapping IP address scheme for tenants prevents FireSIGHT Management
Center and FireSIGHT technology from capturing and reporting based on unique IP addresses.
297560
ENT-1
ASA Firewall
Context per Tenant
• IPS is Down
• IPS in Fail Open Mode
• Traffic will Flow Through
• No Inspection
NextGen IPS
Outside Tenant
VLAN
Global VRF
Towards
MPLS
Cloud
Inside Tenant
VLAN
Inside Tenant
VLAN
Cisco Nexus 7000
Aggregation
Cisco Nexus 7000
Aggregation
Towards
Tenant
Server
Protected VRF

44.
3-20
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
VMDC Cloud Security Design Considerations
The following example shows an SP enabling the hosts monitoring feature on the FireSIGHT
Management Center in an overlapping IP address environment:
1. Host A, with IP address 10.10.10.1, runs Linux in VMDC tenant container A; FireSIGHT
Management Center detects a malware file.
2. Host B, with the same IP address (10.10.10.1) runs Windows in VMDC tenant container B;
FireSIGHT Management Center detects an intrusion.
3. Host C, with the same IP address (10.10.10.1) runs a different version of Linux; FireSIGHT
Management Center detects a malware file and receives the cloud disposition of unknown.
As noted, the three hosts have the same IP address although they belong to three different tenant
containers. This creates a disordered database showing same host deployed with multiple operating
systems, multiple versions of same operating system, a malware detection alert, an intrusion alert, and
at the same time malware detect with unknown disposition.
In this situation, it is extremely difficult to locate the actual hosts and which tenant containers they
belong to. In the preceding example, three hosts have issues in three tenant containers, and The SP may
be unable to locate the exact host to take appropriate action to defend against the threats.
To overcome the overlapping IP address issue, we recommend using VLAN tagging to isolate hosts in
each tenant container, as shown in the following example.
1. Host A, with IP address 10.10.10.1 and VLAN tag 100, runs Linux in VMDC tenant container A;
FireSIGHT Management Center detects a malware file.
2. Host B, with the same IP address (10.10.10.1) with VLAN tag 200, runs Windows in VMDC tenant
container B; FireSIGHT Management Center detects an intrusion.
3. Host C, with the same IP address (10.10.10.1) with VLAN tag 300, runs a different version of Linux;
FireSIGHT Management Center detects a malware file and receives the cloud disposition of
unknown.
Each host belongs to a specific VLAN in a tenant container, so for intrusion detection, FireSIGHT
Management Center can notify the event using the VLAN tag. This enables SPs to pinpoint infected
devices and take appropriate action to mitigate or quarantine them.
When deploying multiple tenants, each tenant will belong to a type of container, either Gold, Silver and
so on, as shown below:
Figure 3-20 MultipleTenant ContainerTypes
Note When configuring an IPS policy per container type, all tenants on the container type receive the same
policy. This helps service providers significantly in terms of operations and maintenance.
297593
FirePOWER IPS
IPS Policies
Copper
Container
Tenant 201-240
Policy – Copper
Policy – Gold
Gold
Container
Tenant 1-100

45.
3-21
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
VMDC Cloud Security Design Considerations
Note When performing changes to an IPS policy that impacts memory allocations (increase or decrease), the
SNORT process may restart and the IPS sensor may not process packets for a short period of time. The
period of time varies depending on the load and the number of polices applied. As a best practice, we
recommend defining one policy per VMDC container model to improve performance. It is recommend
that when modifying or adding new IPS polices policy changes should be carried out during scheduled
maintenance windows. To inspect all the traffic during a maintenance window, we recommend diverting
the traffic to the failover IPS within the data center before performing maintenance work to minimize
any unforeseen downtime.
Use the Firesight Management Console to deploy intrusion policies with tiers of service. For example,
you can define three IPS policies to represent three tiers of service:
• Gold Tier: Inline, blocking;
• Silver Tier: monitor only;
• Bronze Tier: limited or no monitoring
Any IPS policy can be referenced more than once in the Access Control policy, and events are separated
by VLAN tags for different clients. This approach streamlines the IPS / IDS enforcement per rule in the
Access Control policy. A rule in the Access Control policy can reference either a single client or entire
tier of service.
For malware detection, FireSIGHT Management Center cannot use VLAN tag association; instead, SPs
must build per-tenant file policies and assign the policies in malware rules to detect individual hosts in
a tenant container. This enables SPs to isolate infected hosts in a specific tenant container for malware
detection.
For application monitoring, we recommend enabling application discovery under the network discovery
portion of FireSIGHT Management Center. In SP environments, tenant applications may use
overlapping IP addresses. Although application discovery may have the same issues as hosts with
overlapping IP addresses, this at least gives SPs a high-level view of what applications are running, and
if there are any specific threats to these applications, FireSIGHT Management Center adjusts the threat
level accordingly.
FirePOWER FireSIGHT Management Center
FirePOWER FireSIGHT Management Center provides a centralized management console and event
database repository for FirePOWER NGIPS. FireSIGHT Management Center aggregates and correlates
intrusion, file, malware, discovery, connection, and performance data, assessing the impact of events
with indications of compromise. This enables SPs to monitor what data center devices report in relation
to other devices, and to assess and control the activity that occurs in a data center.
FireSIGHT Management Center can be deployed in a fully redundant mode to ensure continuous
operation. The FireSIGHT Management Center pair shares policies, user accounts, and configurations.
Events are sent to both systems in the redundant pair.
FireSIGHT Management Centers periodically update each other on configuration changes, and changes
made to one system are applied to the other. Each FireSIGHT Management Center has a five-minute
synchronization cycle, but the cycles themselves can be out of synchronization by as much as five
minutes, so changes appear within two five-minute cycles. During this ten-minute window,
configurations may differ on the paired FireSIGHT Management Centers.

46.
3-22
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
VMDC Cloud Security Design Considerations
FireSIGHT Management Centers in a high availability pair share the following information:
• User account attributes
• Authentication configurations
• Custom user roles
• Authentication objects for user accounts and user awareness, as well as the users and groups that are
available to user conditions in access control rules
• Custom dashboards
• Custom workflows and tables
• Device attributes, such as the device’s host name, where events generated by the device are stored,
and the group in which the device resides
• Intrusion policies and their associated rule states
• File policies
• Access control policies and their associated rules
• Local rules
• Custom intrusion rule classifications
• Variable values and user-defined variables
• Network discovery policies
• User-defined application protocol detectors and the applications they detect
• Activated custom fingerprints
• Host attributes
• Network discovery user feedback, including notes and host criticality; deletion of hosts,
applications, and networks from the network map; and deactivation or modification of
vulnerabilities
• Correlation policies and rules, compliance white lists, and traffic profiles
• Change reconciliation snapshots and report settings
• Intrusion rules, geo-location database (GeoDB), and vulnerability database (VDB) updates
When deploying HA FireSIGHT Management Centers, managed NGIPS are configured to send event
data to both systems. If a system fails, SPs can use the redundant system to monitor the network without
interruption.
When deploying redundant FireSIGHT Management Centers, both physical appliances must be
identical, and both must run the same software and firmware versions. This protects the reporting and
cloud disposition feature in case of single appliance failure without any downtime.
Table 3-2 compares the services available after a FireSIGHT Management Center failure when
deploying one FireSIGHT Management Center with those available with a redundant FireSIGHT
Management Center deployment.

49.
3-25
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
VMDC Cloud Security Design Considerations
FirePOWER FireSIGHT is a discovery and awareness technology that collects information about hosts,
operating systems, applications, users, files, networks, geo-location, and vulnerabilities to provide a
comprehensive view of the data center network.
The FireSIGHT Management Center web interface provides a view of data collected by FireSIGHT. SPs
can use this data to perform access control and modify intrusion rule states.
Access control is a policy-based feature that enables SPs to specify, inspect, and log traffic that can
traverse their networks. An access control policy determines how the system handles network traffic. A
policy that does not include access control rules handles traffic in one of the following ways (default
action):
1. Block all traffic from entering your network.
2. Trust all traffic to enter your network without further inspection.
3. Allow all traffic to enter your network, and inspect the traffic with a network discovery policy only.
4. Allow all traffic to enter your network, and inspect the traffic with intrusion and network discovery
policies.
For VMDC Cloud Security Release 1.0, Copper and Gold tenants are validated. Copper tenants share the
same firewall context and the Copper tenant traffic goes through the inline IPS. Because most Copper
tenants are SMB customers who do not need additional security, this traffic does not require inspection.
Marking traffic as Trusted, prevents inspection.
Note In this release, Bronze tenants were also tested, but this traffic does not go through the firewall and
NGIPS
In VMDC Cloud Security 1.0, Copper tenants have separate server VLANs, even though they share the
same firewall context and are segmented at L2. It is recommended to configure NGIPS with device
fast-path rule in hardware for all the Copper or Silver tenants that may not require deep packet
inspection.
SPs may include access control rules in access control policies to further define how traffic is handled
by targeted devices, from simple IP address matching to complex scenarios involving different users,
applications, ports, and URLs. A rule action is specified for each rule, that is, whether to trust, monitor,
block, or inspect matching traffic with an intrusion or file policy.
In multi-tenant environments in which SPs use the overlapping IP addresses for tenants, the Cisco
FirePOWER IPS can detect and mark per-tenant intrusion events based on VLAN tag. To get per-tenant
malware events, SPs need to define per-tenant file policies.
Network-Based Advanced Malware Protection (AMP)
Network-based advanced malware protection (AMP) is a license based feature. AMP allows the system
to inspect network traffic for malware in several types of files. Appliances can store detected files for
further analysis. After NGIPS detects a file as a culprit, NGIPS submits the file to the FirePOWER cloud
using FirePOWER FireSIGHT Management Center to perform a simple known-disposition lookup using
the SHA-256 hash value of the file.
The following methods can determine whether a file is malware:
• SHA-256 hash—This method is fast and requires minimal communication with the FirePOWER
cloud to get one of three malware dispositions for any file: Clear, Malware or Unknown. When
malware lookup is based on file policy settings, NGIPS captures the file based on the tenant VLAN

50.
3-26
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
Design Options for NGIPS in VMDC Cloud Security Architecture
tag and calculates the SHA-256 hash value. This value is sent to FireSIGHT Management Center,
which forwards the value to the FirePOWER cloud for malware disposition. The cloud lookup time
for the disposition is typically under 200 msec.
• SPERO fingerprint—When this is enabled, NGIPS collects static file attributes and transmits the
SPERO signature to the FirePOWER cloud. This can identify malware even if the specific file SHA
hash value has not been observed.
• Sandbox file analysis—This feature can extract files from the network flow and submit them to the
FirePOWER cloud for evaluation. Submission can be configured to be automatic or manual.
Automatic analysis is limited to Windows PE (executables) having unknown status. Manual
submission supports a wide variety of file types, including MSEXE/DLL, JAR, PDF, SWF, DOC,
DOCX, PPT, PPTX, XLX, XLSX, and RTF.
Using this technique, files are executed in the sandbox environment. Execution results in a threat
score; the file can be marked as malware based on its threat score. Getting a threat score can take
from 5 to 10 minutes. Sandbox file analysis do not block files, but subsequent detection of these
files based on the SHA-256 enables to do a block action on the file.
Depending on the security requirements and threat, service provider configured the system to submit
files for dynamic analysis, which produces a threat score. Using this contextual information, service
provider can configure the system to block or allow specific files. It is recommended to configure
malware protection as part of the overall access control configuration; file policies associated with
access control rules inspect network traffic that meets rule conditions.
Table 3-4 shows different actions the FireSIGHT management center and IPS can take based on the file
policy configurations.
Design Options for NGIPS in VMDC Cloud Security Architecture
The VMDC Cloud Security 1.0 architecture is based on the VMDC 2.3 vPC-based reference architecture
to provide HA and better bandwidth between the vPC peers, such as between aggregation
switches/access switches, and aggregation switches/services components.
In VMDC Cloud Security 1.0, NGIPS is deployed inline to enable SPs to protect entire data centers from
attacks that might affect the availability, integrity, or confidentiality of hosts or devices in the SP
network.
Table 3-4 FireSIGHT Management File Lookup Behavior
File Policy Action Default Behavior
Auto Dynamic File
Analysis SPERO Fingerprint File Types
Detect Files Log No No All supported file
types
Block Files Block & Log No No All supported file
types
Malware Cloud
Lookup
Log,
SHA-256 Lookup
Optional (MS EXE) Optional
(MS EXE)
Malware File Types
Only
Block Malware Log,
SHA-256
Lookup, block if
malware
Optional (MS EXE) Optional
(MS EXE)
Malware File Types
Only

51.
3-27
Cisco VMDC Cloud Security 1.0
Design Guide
Chapter 3 Cloud Security Design Details
Design Options for NGIPS in VMDC Cloud Security Architecture
The VMDC Cloud Security 1.0 architecture is built so that traffic can flow asymmetrically when
entering and exiting a data center. Because of asymmetrical data flows in data centers, NGIPS must be
integrated into the architecture so that it is not affected by the asymmetrical traffic flow.
This section describes design considerations on how and where we can insert the FirePOWER next
generation IPS in the VMDC 2.3 reference architecture in such a way that it will be less disruptive and
provide scale and performance with high availability. There are multiple locations service provider may
be able to insert the NGIPS within the VMDC 2.3 reference architecture. Below sections covered all
such possibilities and provides the recommended method, that will integrate the NGIPS in such a way,
the architecture integrity will not be compromised.
Inserting Multiple NGIPS at the Aggregation Layer (Recommended Design)
As shown in Figure 3-22, NGIPS can be inserted between the aggregation and access layer on each link
to eliminate appliance failure as a single point of failure.
Figure 3-22 Inserting Multiple NGIPS between Aggregation and Access Layer
Table 3-5 summarizes the pros and cons of this deployment model.
• FireSIGHT Management Center
• ACS, Splunk and CTD
• Inside VRF
• Outside VRF
APP
OS
APP
OS
APP
OS
APP
OS
UCS 62xx
Nexus
1000V
UCS
Blade
Chassis
ICS Management POD
297554
APP
OS
APP
OS
IP/MPLS
Nexus 7004
Nexus 7004
WAN/Edge
Aggregation 1’ Aggregation 2’
ASA 1
Citrix SDX Citrix SDX
ASA 2
IPS 1
IPS 2
Aggregation 1 Aggregation 2
NetFlow
Spanned Traffic
Nexus 5548
CTD
Console
CTD
Collector
ACS
FireSIGHT
Splunk
• IPS Inline Mode
Cisco
NGA 3240